Common Vulnerabilities and Exposures by NIST

CVE-2014-9089 7.5

2014-11-28 2014-11-28

Multiple SQL injection vulnerabilities in view_all_bug_page.php in MantisBT before 1.2.18 allow remote attackers to execute arbitrary SQL commands via the (1) sort or (2) dir parameter to view_all_set.php.

Vendor(s): Mantisbt

Affected OS(s) / software(s): 1

CVE-2014-8994 3.6

2014-11-28 2014-11-28

The check_diskio plugin 3.2.6 and earlier for Nagios and Icinga allows local users to write to arbitrary files via a symlink attack on a temporary file with a predictable name (tmp/check_diskio_status-*-*).

Vendor(s): Check diskio project

Affected OS(s) / software(s): 2

CVE-2014-8801 5

2014-11-28 2014-11-28

Directory traversal vulnerability in services/getfile.php in the Paid Memberships Pro plugin before 1.7.15 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the QUERY_STRING in a getfile action to wp-admin/admin-ajax.php.

Vendor(s): Paidmembershipspro

Affected OS(s) / software(s): 1

CVE-2014-8799 5

2014-11-28 2014-11-28

Directory traversal vulnerability in the dp_img_resize function in php/dp-functions.php in the DukaPress plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter to lib/dp_image.php.

Vendor(s): Dukapress project

Affected OS(s) / software(s): 1

CVE-2014-8429 6.8

2014-11-28 2014-11-28

Cross-site request forgery (CSRF) vulnerability in Xavoc Technocrats xEpan CMS 1.0.4.1, 1.0.4, 1.0.1, and earlier allows remote attackers to hijack the authentication of administrators for requests that create new administrative accounts via a crafted request to the owner/users page.

Vendor(s): Xavoc

Affected OS(s) / software(s): 3

CVE-2014-8425 7.8

2014-11-28 2014-11-28

The management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to obtain credentials by reading the configuration files.

Vendor(s): Arris

Affected OS(s) / software(s): 1

CVE-2014-8424 7.8

2014-11-28 2014-11-28

ARRIS VAP2500 before FW08.41 does not properly validate passwords, which allows remote attackers to bypass authentication.

Vendor(s): Arris

Affected OS(s) / software(s): 1

CVE-2014-8423 10

2014-11-28 2014-11-28

Unspecified vulnerability in the management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to execute arbitrary commands via unknown vectors.

Vendor(s): Arris

Affected OS(s) / software(s): 1

CVE-2014-7850 4.3

2014-11-28 2014-11-28

Cross-site scripting (XSS) vulnerability in the Web UI in FreeIPA 4.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to breadcrumb navigation.

Vendor(s): Redhat

Affected OS(s) / software(s): 8